Legal notice prevents flaw exposure

Page Tools

A proprietary software company in the US has issued a legal
threat to a security firm to prevent the latter from releasing
details of flaws in its products.

The security firm, Next Generation Security Software, had
informed the vendor, Sybase, and waited for patches to be released
before announcing that it would release full details of the flaws -
as is common practice in the industry.

NGSS goes one better than many other security firms by waiting
for three months after a patch has been released by a vendor before
it releases details of a vulnerability.

In a posting to the Bugtraq vulnerability mailing list, NGSS
said that in 2004, it had reported a number of serious security
issues in Sybase ASE to Sybase, for which the vendor had released
patches.

It said that in line with its responsible disclosure policy, it
was due to publish full technical details of the vulnerabilities on
March 21.

However, NGSS said on the morning of March 21 it received a
letter from the Sybase legal team requesting that NGSS withhold
technical details of these serious vulnerabilities
indefinitely.

"Consequently, NGSS feel unable to publish the technical details
of these bugs until the legal situation has been resolved. NGSS
believe that it is not in the best interest of Sybase customers for
Sybase to prevent publication of the technical details of these
bugs," the company said its posting.

Update, March 30: Neither NGSS nor Sybase have
yet responded to a request for further comment.

Microsoft Corporation said it had no comment to offer.

Noted US security consultant Richard Forno said: "Simple: Who's
the villain here? NGSS for responsibly reporting a problem with
Sybase software? Or Sybase for covering it up by threatening NGSS
with legal action while at the same time not doing anything about
the problem except issuing a saccharine press statement containing
nothing of substance?"

He said NGSS had the moral high ground in this case. "From what
I've heard/read thus far, they didn't release exploit code and gave
the vendor a fair chance to respond/fix the problem. Sybase, in
turn, essentially slams the door on them and tries to censor them
while placing their users at a higher risk of exploitation by
capitalising on their ignorance of the problem in question. Very
sad and very disturbing. But also a growing trend."

Forno said in his opinion security through ignorance did not
work - though one could profit nicely from it.

eEye Digital Security was also asked for comment as it has a
policy of releasing the basics of a security advisory and then
waiting for a company to patch a product before releasing full
technical details. However, the company has not responded.

Update, March 31: Asked for his opinion about
the matter, independent security researcher Brian Martin, who is
better known as Jericho, said: "The one thing that continually
amazes me are the brainiacs at these companies who think that
lawsuit threats really stop that information from being discovered
by other people, and think that such threats outweigh the negative
publicity it gives them.

"This is also a fairly big insult to their customers... 'we
don't think our customers are smart enough to patch, we need to
protect them by threatening the people who helped make them more
secure to begin with'!"